Hi,
Thanks a lot for a very nice tutorial! It seems that it is actually possible to use a pkcs15 smart card with GPG (as opposed to the openpgp card).
I haven't had the opportunity to try it yet (I just ordered a few smartcards from Gooze) but it seems that it can be done using a pkcs11 plugin for gpg: http://gnupg-pkcs11.sourceforge.net/support.html

Yes, I know about gnupg-pkcs11, this is what I have been struggling with. As I said, it's a bit of a hack, so it doesn't seem very reliable. I had issues at some point in the process of making it recognize the keys on the smart card, and I haven't been able to track the problem down.

first of all thanks a lot for this very complete guidance. I'm a beginner, so I still had some difficulties getting the hardware to work etc.

I am using an openpgp 1.1 card. I managed to get 3 keys on it. my objective would be to use it for login.

I had little luck with pkcs-... , I used gpg to create the keys.

anyway, now I would need to export a certificate. this is where I fail at the moment. I tried

Code:

gpgsm --gen-key >x.pem
(3) Existing key from card
then chose the third key,
(1) sign, encrypt
Really create request? (y/N) y
Now creating certificate request. This may take a while ...
gpgsm: about to sign CSR for key: &76D93C191A5829154E5330D85585B4F652757F8E
gpgsm: certificate request created
Ready. You should now send this request to your CA.

i got a feitian card. on lucid i had to install opensc 0.12.1 to make it work. i also had to copy over stuff from /usr/local/bin and /usr/local/lib to /usr/bin and /usr/lib. this just for the sake of the record.

ok, so i initialized the card. the next step is exactly the same, where i got stuck with the other card:

i got a feitian card. on lucid i had to install opensc 0.12.1 to make it work. i also had to copy over stuff from /usr/local/bin and /usr/local/lib to /usr/bin and /usr/lib. this just for the sake of the record.

You shouldn't have done that. By copying files around, you probably overwrote something important. Also it worked in Lucid with the OpenSC version from the repos when I wrote the tutorial, so it definitely should still work now. You should have posted the error message you got with the version from the repos, because now, it's hard to tell where the error comes from since your installation is potentially broken.

you won't see me giving up... so i started to follow the howto step-by-step on a clean 10.04 64-bit machine. there are packages removed from the machine, but not anything which is related to this (i hope).

so the first note is "to add myself to the scard group". this group did not exist after installing the packages opensc pcsc-tools libccid. i did not do that yet, but i guess the commands are:

addgroup scard
addgroup yourname scard

i carried on skipping the steps with initializing the card, because that was done properly on the other machine already.

after listing the id i went on to openssl to request the certificate, but loading the engine failed: